Researchers have found a new variant of the MidgeDropper malware typically targeting Windows systems. In fact, the malware specifically aims at work-from-home users with Windows PCs, potentially indicating the attackers’ intentions to exploit the likely security weaknesses that usually exist in remote working environments.
MidgeDropper Malware Variant Infects Windows Work-from-Home Users
Researchers from Fortinet’s Fortiguard Labs have found a new MidgeDropper malware variant that targets Windows devices. The threat actors behind this campaign seemingly aim at remote employees or work-from-home users to spread the malware. What makes this variant noteworthy is its complex functionalities, such as sideloading and code obfuscation.
In brief, the attack begins with a malicious archive file – the one that the researchers found was named “!PENTING_LIST OF OFFICERS.rar.” This archive contained two other files – a PDF file with a dummy image to bluff users with an error message (bearing the name “Notice to Work-From-Home groups.pdf”) and an executable “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe”. This executable simply included the “.pdf” extension in the file name to trick the victims into believing it was a PDF.
That’s because, by default, Windows does not display the file names with extensions. Hence, after supposedly failing at opening the PDF file, the victim user would likely click on the executable file, believing it as another PDF. Once done, the executable would download four other files, including an application “seAgnt.exe” – a renamed copy of the Microsoft Xbox Game Bar Full Trust COM Server “GameBarFTServer.exe” – for sideloading malicious DLL.
The researchers have shared a detailed technical analysis of this variant in their post. They couldn’t analyze the final payloads for now as they found the subsequent links in the chain reaction being taken down.
Exact Attack Vector Is Yet Unclear – But Is Likely Phishing
While Fortinet discovered and analyzed the malware in detail, the researchers couldn’t identify the exact attack vector. However, considering the archived files associated with this attack that usually form email attachments, the researchers suspect phishing emails as the likely vector.
To avoid such threats, users must stay cautious when interacting with unsolicited emails or messages, particularly those with attachments/URLs.
Besides, since this attack mainly relies on the default Windows settings where the file extensions do not appear with the file names, a key strategy to avoid this and similar malware attacks is to enable the file extension view in Windows Explorer. It helps the users spot dubious files, like executables, with deceptive file names and conflicting extensions.
Let us know your thoughts in the comments.